Using Mozilla Firefox's built-in Password Manager to keep track of your browser's passwords? It makes site logins faster but it also could help malicious sites steal your passwords.
The bug, which has been known to Mozilla for at least 10 days, remains unpatched and exploits as well as a proof of concept exist in the wild.
"I was shocked today to find an in-the-wild phish that uses nothing more than cross-site forms, and also extracts information from the Password Manger!" Security Researcher Robert Chapin wrote in a November 12th e-mail posted in the bugzilla bug tracking system.
"The underlying method was so obvious that it should have raised multiple warnings," Chapin continued. "There were none at all."
The flaw allows a maliciously crafted page to auto-fill a form with credentials intended for another site. Apparently, there is no warning in Firefox 2.0 or previous versions that the credentials are being pulled for the wrong site and submitted to a third party.
Details of the flaw first became public this week. Mozilla developers do not yet have a fix. "Since this bug is an in-the-wild attack we're not protecting anyone by hiding the details anyway," Mozilla developer Daniel Veditz wrote in a bugzilla entry. "Up to now, browser makes have focused on user convenience and assumed sites with valuable passwords would be well-written. But they have bugs just like we have bugs so we might have to be more defensive."

Firefox is not the only browser vulnerable to this type of exploit. IE7 and Safari are also vulnerable. This is probably the first, in my memory, exploit to affect multiple browsers on multiple platforms.

The exploit in question is a Reverse Cross-Site Request (RCSR), brought to light by last months phishing scam on MySpace.

This vulnerability could affect anyone, using FireFox, IE7, and Safari, visiting a website that allows user-contributed HTML code.

The browser is not directly fooled, by the RCSR exploit. Instead the user is presented with a fake login page that fool’s the browser into providing the UserID and Log-In information. None of these browsers were designed to check the form data before submission.

This type of attack is particularly effective, as the user is presented with a Log-In page very similar to the one they are used to seeing on a website they trust.

Microsoft has acknowledged the vulnerability, but inquires by Chapin Information Services (CIS) have been met with this response from Microsoft.“We are aware of the issue you reported.” And, “As a matter of policy, we cannot comment on ongoing investigations.”
I have located no official documentation from Apple regarding this vulnerability in Safari.

I should add to my previous post that Netscape 8 may also be vulnerable. Since Netscape 8 is built from the Firefox 1.x source tree, therefore it stands to reason that Netscape 8 may also be vulnerable to this kind of exploit.